General
-
Target
Revised Invoice 2.xlsx
-
Size
1.6MB
-
Sample
210118-x5v4254wlx
-
MD5
69d884cc2d163ba2d507788585d1086b
-
SHA1
1c7ce94039307d82b0c29e796db6eec476f01e37
-
SHA256
a5235bf234f4199d7db1d947e38e85953372a6aa9abd6f1eabcd2fabf12eba87
-
SHA512
2cdd0d2f2adfe026df2ae2efc5416d5009ff5ab2000a385d0415dd2bf7b86198aa085e53d1e69d64c3f493f74d0f060b18054a42a320761e42329385783b4402
Static task
static1
Behavioral task
behavioral1
Sample
Revised Invoice 2.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Revised Invoice 2.xlsx
Resource
win10v20201028
Malware Config
Extracted
lokibot
http://blueriiver-eu.com/zoro/zoro4/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Revised Invoice 2.xlsx
-
Size
1.6MB
-
MD5
69d884cc2d163ba2d507788585d1086b
-
SHA1
1c7ce94039307d82b0c29e796db6eec476f01e37
-
SHA256
a5235bf234f4199d7db1d947e38e85953372a6aa9abd6f1eabcd2fabf12eba87
-
SHA512
2cdd0d2f2adfe026df2ae2efc5416d5009ff5ab2000a385d0415dd2bf7b86198aa085e53d1e69d64c3f493f74d0f060b18054a42a320761e42329385783b4402
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-